228 sats \ 1 reply \ @zachherbert 24 Oct 2022 freebie \ parent \ on: We are Foundation, creators of the Passport hardware wallet. AMA! bitcoin
We use the 608a chip from Microchip, and are switching to the 608b for next batches.
There is no critical vulnerability in the 608a, it's just not recommended for new designs because the 608b is rolling out. The 608b does have some kind of security enhancements but Microchip has not provided any further info. My guess is the 608b further protects against sophisticated lab-based laser attacks.
In order to compromise the 608a, or the 508a, or many chips like it – you can use expensive lab equipment to grind down the top layers of the chips, and shine lasers at the chip in an attempt to extract some data. My guess is we'll see similar attacks against the 608b, and I am sure Ledger's team is already trying to break the 608b.
Every chip is vulnerable to these kinds of targeted, sophisticated attacks, and we've seen everything from Apple's chips, to Intel SGX, etc be compromised in the last few years.
Passport's dual chip architecture removes the need to place all your trust in a single chip, and requires that an attacker compromises both the STM processor and the Microchip secure element.
You'd have to be specifically targeted for this attack, your device would have to be brought to a lab and taken apart, the chips would need to be removed from the board, etc.
Contrast to something like a Trezor, which does not use a secure element and can be trivially voltage-glitched using $100 of hardware.
There is no perfect security, but we can ship devices that require enormous cost and time to break into. Things like Multisig and Passphrases also render these sophisticated attacks useless.
seems like a critical vulnerability to me:
"In 2020, we evaluated the Microchip ATECC508A Secure Memory circuit. We identified a vulnerability allowing an attacker to read a secret data slot using single Laser Fault Injection. Subsequently, the product life cycle of this chip turned to be deprecated, and the circuit has been superseded by the ATECC 608A, supposedly more secure. We present a new attack allowing retrieval of the same data slot secret for this new chip, using a double Laser Fault Injection to bypass two security tests during a single command execution. A particular hardware wallet is vulnerable to this attack, as it allows stealing the secret seed protected by the Secure Element. This work was conducted in a black box approach. We explain the attack path identification process, using help from power trace analysis and up to 4 faults in a single command, during an intermediate testing campaign. We construct a firmware implementation hypothesis based on our results to explain how the security and one double-check counter-measure are bypassed."
reply